[Snort-users] FW: Currently MS UDP/1434 attacks

Rich Adamson radamson at ...2127...
Sat Jan 25 07:14:02 EST 2003


Below not just posted on another list...

Current serious vulnerability... best be blocking the port real soon!
Might read http://www.nextgenss.com/advisories/mssql-udp.txt for some
tech detail.

Hey folks,

> Seems that as of 12:30 AM EST today a MS-SQL worm has been wreaking
> havoc on the Internet. Some of the tier 1 providers are reporting nearly
> 100% packet loss on their peering links. I'm seeing mixed reports, but
> it looks like this worm leverages a Cisco Netflow bug and/or multicast
> addressing to amplify the attack. This makes the bandwidth consumption
> far worse than the Code Red and Nimda.
> Here are the advisories of concern:
> http://www.kb.cert.org/vuls/id/370308
> http://www.kb.cert.org/vuls/id/399260
> http://www.kb.cert.org/vuls/id/484891
> http://www.kb.cert.org/vuls/id/796313
> Please notice that the most current is from 7/2002 so if you are patched
> you are cool. You are also in good shape if you are blocking UDP/1434
> inbound and _outbound_. Outbound is important to ensure you don't spread
> the thing if you catch it. You are also cool if you have, like me,
> installed the "Red Hat" patch to all of your servers. ;-)
> I just checked dshield at:
> http://isc.incidents.org/port_details.html?port=1433
> and it actually shows UDP/1434 traffic as being lower than normal, but I
> would expect this is due to report lag time rather than real numbers.
> I know all of the above sounds really bad folks, but not to worry. I
> received a personal e-mail from Bill Gates this week saying they are now
> focused on security so I'm sure this just some kind of simple
> misunderstanding. ;-)

More information about the Snort-users mailing list